[Buildroot] [git commit] package/{glibc, localedef}: bump to version 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675

Peter Korsgaard peter at korsgaard.com
Fri Sep 29 19:28:05 UTC 2023 

commit: https://git.buildroot.net/buildroot/commit/?id=34f8d874eeffb8309a174d3423d8f350d68ab3eb
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Enable mathvec explicitly on aarch64(be) since it's now enabled by
default [1]. aarch64 mathvec requires at gcc-10 but Buildroot already
provide gcc-11 as minimum version.

Don't use --enable-fortify-source for now in order to keep original
behavior while doing the glibc version bump (and because some
architecture doesn't support well fortify-source, i.e Microblaze).
Postpone this change to a follow up commit.

Keep the "deprecated" libcrypt enabled just in case if some
application are not yet ready to use an alternative such as libxcrypt.

Security related changes:

  CVE-2023-25139: When the printf family of functions is called with a
  format specifier that uses an <apostrophe> (enable grouping) and a
  minimum width specifier, the resulting output could be larger than
  reasonably expected by a caller that computed a tight bound on the
  buffer size.  The resulting larger than expected output could result
  in a buffer overflow in the printf family of functions.

See:
https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html

Runtime tested with Qemu on Gitlab-ci:
https://gitlab.com/kubu93/buildroot/-/pipelines/998435203
https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/998926028

[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=cd94326a1326c4e3f1ee7a8d0a161cc0bdcaf07e

Signed-off-by: Romain Naour <romain.naour at gmail.com>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/glibc/glibc.hash                              |  2 +-
 package/glibc/glibc.mk                                |  4 +++-
 .../0001-HACK-only-build-and-install-localedef.patch  | 12 +++++++-----
 ...ependency-on-GCC-to-4.8-and-binutils-to-2.24.patch | 19 +++++++++++--------
 package/localedef/localedef.mk                        |  2 +-
 5 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index 453aadae11..4d2e9fbbd2 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  0f8bfad0b853a0c6e1dd1c3254a30b58d4c7050870fe2b0da90ad40f4d450ce2  glibc-2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa.tar.gz
+sha256  06d73b1804767f83885ab03641e2a7bf8d73f0a6cf8caee4032d8d1cc2e76cce  glibc-2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 79e6c76cb4..844bed5051 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -7,7 +7,7 @@
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa
+GLIBC_VERSION = 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
 # sometimes the connection times out. So use an unofficial github mirror.
@@ -148,6 +148,8 @@ define GLIBC_CONFIGURE_CMDS
 		--disable-werror \
 		--without-gd \
 		--with-headers=$(STAGING_DIR)/usr/include \
+		$(if $(BR2_aarch64)$(BR2_aarch64_be),--enable-mathvec) \
+		--enable-crypt \
 		$(GLIBC_CONF_OPTS))
 	$(GLIBC_ADD_MISSING_STUB_H)
 endef
diff --git a/package/localedef/0001-HACK-only-build-and-install-localedef.patch b/package/localedef/0001-HACK-only-build-and-install-localedef.patch
index b289000c8a..49bbfd227c 100644
--- a/package/localedef/0001-HACK-only-build-and-install-localedef.patch
+++ b/package/localedef/0001-HACK-only-build-and-install-localedef.patch
@@ -1,4 +1,4 @@
-From 442e9a3f262c49cf61f9e7bdf12882f0a427666b Mon Sep 17 00:00:00 2001
+From bd5a87ea4a0cc0ba393a16bbeb166903e4085e8b Mon Sep 17 00:00:00 2001
 From: Michael Olbrich <m.olbrich at pengutronix.de>
 Date: Mon, 21 May 2018 16:45:02 +0200
 Subject: [PATCH] HACK: only build and install localedef
@@ -7,16 +7,18 @@ Signed-off-by: Michael Olbrich <m.olbrich at pengutronix.de>
 
 Upstream: https://git.pengutronix.de/cgit/ptxdist/plain/patches/localedef-glibc-2.27/0001-HACK-only-build-and-install-localedef.patch?id=47116f66f411d4dadfce42c2fdd6d41b351ccfd4
 Signed-off-by: Peter Seiderer <ps.report at gmx.net>
+[Romain: rebase on 2.38]
+Signed-off-by: Romain Naour <romain.naour at gmail.com>
 ---
  Rules           | 14 ++++++++++----
  locale/Makefile |  6 +++---
  2 files changed, 13 insertions(+), 7 deletions(-)
 
 diff --git a/Rules b/Rules
-index b1137afe71..2aeac31922 100644
+index 279ae490ac..1321956be6 100644
 --- a/Rules
 +++ b/Rules
-@@ -216,10 +216,16 @@ binaries-shared-notests = $(filter-out $(binaries-pie) $(binaries-static), \
+@@ -221,10 +221,16 @@ binaries-shared-notests = $(filter-out $(binaries-pie) $(binaries-static), \
  				       $(binaries-all-notests))
  
  ifneq "$(strip $(binaries-shared-notests))" ""
@@ -38,7 +40,7 @@ index b1137afe71..2aeac31922 100644
  
  ifneq "$(strip $(binaries-shared-tests))" ""
 diff --git a/locale/Makefile b/locale/Makefile
-index b7c60681fa..de4cf4003f 100644
+index d7036b0855..68afdddc7f 100644
 --- a/locale/Makefile
 +++ b/locale/Makefile
 @@ -33,15 +33,15 @@ categories	= ctype messages monetary numeric time paper name \
@@ -61,5 +63,5 @@ index b7c60681fa..de4cf4003f 100644
  
  libBrokenLocale-routines = broken_cur_max
 -- 
-2.33.0
+2.41.0
 
diff --git a/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch b/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch
index 94fccfa856..70d2b34bc1 100644
--- a/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch
+++ b/package/localedef/0002-relax-dependency-on-GCC-to-4.8-and-binutils-to-2.24.patch
@@ -1,4 +1,4 @@
-From 85412262460f6ba9f6e2cf8da74fc1904c54c854 Mon Sep 17 00:00:00 2001
+From add730a680075ed611797b9ea771bf977667a7de Mon Sep 17 00:00:00 2001
 From: Matt Weber <matthew.weber at rockwellcollins.com>
 Date: Thu, 6 Feb 2020 14:36:21 -0600
 Subject: [PATCH] relax dependency on GCC to 4.8 and binutils to 2.24
@@ -26,15 +26,17 @@ GCC 6.2+
 Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
 [yann.morin.1998 at free.fr: update for 2.37]
 Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
+[Romain: rebase on 2.38]
+Signed-off-by: Romain Naour <romain.naour at gmail.com>
 ---
- configure | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
+ configure | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/configure b/configure
-index 9619c10991..0c481d2339 100755
+index 4ef387146d..4c6f91117d 100755
 --- a/configure
 +++ b/configure
-@@ -4178,7 +4178,7 @@ $as_echo_n "checking version of $LD... " >&6; }
+@@ -5293,7 +5293,7 @@ printf %s "checking version of $LD... " >&6; }
    ac_prog_version=`$LD --version 2>&1 | sed -n 's/^.*GNU ld.* \([0-9][0-9]*\.[0-9.]*\).*$/\1/p'`
    case $ac_prog_version in
      '') ac_prog_version="v. ?.??, bad"; ac_verc_fail=yes;;
@@ -43,8 +45,8 @@ index 9619c10991..0c481d2339 100755
         ac_prog_version="$ac_prog_version, ok"; ac_verc_fail=no;;
      *) ac_prog_version="$ac_prog_version, bad"; ac_verc_fail=yes;;
  
-@@ -4589,7 +4589,7 @@ int
- main ()
+@@ -5735,7 +5735,7 @@ int
+ main (void)
  {
  
 -#if !defined __GNUC__ || __GNUC__ < 6 || (__GNUC__ == 6 && __GNUC_MINOR__ < 2)
@@ -53,4 +55,5 @@ index 9619c10991..0c481d2339 100755
  #endif
    ;
 -- 
-2.33.0
+2.41.0
+
diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
index 6f8b170516..650b319a25 100644
--- a/package/localedef/localedef.mk
+++ b/package/localedef/localedef.mk
@@ -7,7 +7,7 @@
 # Use the same VERSION and SITE as target glibc
 # As in glibc.mk, generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa
+LOCALEDEF_VERSION = 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675
 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
 LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
 HOST_LOCALEDEF_DL_SUBDIR = glibc

More information about the buildroot mailing list